I created an Application Registration on our Azure AD.
I then use the application registration id to create "Enterprise Application" in our customers' AD's.
It goes like this
Their admin sign into our system and clicks connect AD
We send a challenge (OpenId Connect) that allows them to sign into their microsoft account.
This creates our application under "Enterprise Applications" in their AD and it then workes fine with SSO
So far so good. But now we want to add the next logical step with Provisioning with Scim v2 however if I on a customer/test AD browse to our app under Enterprise Application and then click Provisioning I see the following
There is no way to hook up provisioning no matter if I support Scim2 as required.
Why is this? Does our app need to be in the gallery for this to work?
I noticed I can go to Enterprise Applications > New application > Non-gallery application and create a new application. This will then work with provisioning.
But then our customers would need two apps, one from our app registration that does SSO and one more for provisioning. I would like one app to do both.
Your app needs to be in the gallery to have provisioning enabled. Barring that, the only other option is what you've already described - a custom non-gallery app.
To get your app in the gallery, https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-howto-app-gallery-listing
Related
We installed an enterprise application through the Azure AD App Gallery. But when we try to config the Single Sign-on, it keeps saying:
The single sign-on configuration is not available for this application
in the Enterprise applications experience. HubSpot is a multi-tenant
application and the application is owned by another tenant.
Do we need to change some settings to allow the setup of Single sign-on?
We followed this tutorial but are now stuck on "Configure Azure AD SSO".
When added the hubspot application from Azure AD Enterprise application gallery like below ,you should be able to see if SSO setting is available or not and the ways it can be supported for sso.(Here i can be able to use SAML based SSO, or linked SSO)
Then you should be able to edit the saml configuration
For me when I search the hubspot app created in app registrations, its under supported account type of my organization only.
Please check if the App is registered and added as Multi-Tenant App in your case and users have to use login for particular tenant instead of common to avoid error.
Also user accounts need to be pre-provisioned into HubSpot prior to
sign-in .
Reference:
Sign in with My Apps portal and Azure AD SSO in multi tenants application - Stack Overflow
Scenario:
(Azure-hosted) Web App. Users should be able to sign in to my app using a Microsoft Account (i.e. #live.com, #hotmail.com, etc accounts) that has one or more Azure subscriptions. The application would then allow them to view and manage their Azure resources in specific ways through my app.
Points of confusion/frustration:
ADAL vs MSAL for authentication
Azure AD vs Azure AD B2C for the tenant hosting the application
Where do you register the tenant app? In the AD B2C under "App Registrations"? In a regular AD under "App Registrations (Preview)"? On the App Registration Portal (i.e. apps.dev.microsoft.com)?
Which of the above client ID & secret do you use in the web app (in the .config file)?
The documentation for none of these seem to cover the scenario end-to-end and most of it is completely out of sync with other developments.
I am hoping here to get some point of guidance from other developers that have actually gone through this journey themselves (rather than folks that just read the documentation). In specific, I am hoping to get answers from the Azure CXP team that monitors these questions and provides official & supported answers.
Your scenario requires access to Azure APIs, thus you have to make the logins against "regular" AAD, not B2C.
You can't make your logins against MSA accounts directly as they must be members of an AAD to have access to subscriptions.
You can use either ADAL or MSAL to handle the authentication.
Note you must use v2.0 endpoint for MSAL and the "v1" endpoint for ADAL.
See limitations of the v2 endpoint here: https://learn.microsoft.com/en-us/azure/active-directory/develop/azure-ad-endpoint-comparison.
You register it under Azure portal -> Azure Active Directory -> App registrations.
You can also use the preview version if you want.
You will need the application id (= client id) + a key (secret) from the app registration.
Registered an app in v2 portal apps.dev.microsoft.com, it says 'This application will be registered in the Azure Active Directory instance used to manage your account', now 3 hours passed, when I go to 'enterprise applications' tab in azure portal-active directory, i still didnt see it there, why? how long will it take?
The enterprise applications blade represents Service Principals, rather than applications. Here's an excellent doc that walks through details of the difference between an application & service principal.
A Service Principal can be thought of as an instantiation of your application into the tenant. In the example of multi-tenancy, you as an app developer may register an application, then have multiple tenants sign in & consent to the app. At that point, each of those tenants will get a Service Principal provisioned into their tenant and it will show up in the Enterprise Apps section.
To prompt a Service Principal to be provisioned in the same tenant as the app registration, you simply need to complete a sign in request and consent to the application. It should show up after that.
I registered an app in v2 endpoint (apps.dev.microsoft.com), however in azure portal, I cannot see the 'user and group' option where I would like to control the access by security groups, is this feature supported??
This is because that the App you created is a Native App.
I did a test and found that when you registered a Native App and granted permissions to it. It would occurs in Enterprise Applications without Users and Groups . Just like this:
Native client registrations are multi-tenant by default. You don’t
need to take any action to make a native client application
registration multi-tenant.
If you want to have the Users and Groups section, you need to register Web app/API application.
Hope this helps!
Yes, this is supported - Applications created in the Application Registration Portal (v2) will show up in portal.azure.com under Enterprise Apps and you should be able to assign permissions to it.
It is likely that you are not seeing this because you are not signed in as Tenant Admin.
I have been able to set up the single tenant SSO but don't really know what steps to follow on (Canvas or Azure side) to enable multi-tenant.
Canvas LMS is hosted on my own website.
You can follow the steps below to convert your application into a multi-tenant app.
In Azure Portal, update your application registration to be multi-tenant. You can make your registration multi-tenant by finding the “Multi-Tenanted” switch on the properties page of your application registration in the Azure portal and setting it to “Yes”.
Update your code to send requests to the /common endpoint: https://login.microsoftonline.com/common
Update your code to handle multiple issuer values
Understand user and admin consent and make appropriate code changes
More details about multi-tenant application, please refer to the following article.
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview